Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/257293?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/257293?format=api", "purl": "pkg:composer/october/system@1.0.439", "type": "composer", "namespace": "october", "name": "system", "version": "1.0.439", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42510?format=api", "vulnerability_id": "VCID-196s-wgwr-kyd6", "summary": "Improper Verification of Cryptographic Signature\nOctobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS does not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-23655", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34084", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34002", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34102", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34117", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-23655" }, { "reference_url": "https://github.com/octobercms/october", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/october" }, { "reference_url": "https://github.com/octobercms/october/commit/e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:10:01Z/" } ], "url": "https://github.com/octobercms/october/commit/e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23655", "reference_id": "CVE-2022-23655", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23655" }, { "reference_url": "https://github.com/advisories/GHSA-53m6-44rc-h2q5", "reference_id": "GHSA-53m6-44rc-h2q5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-53m6-44rc-h2q5" }, { "reference_url": "https://github.com/octobercms/october/security/advisories/GHSA-53m6-44rc-h2q5", "reference_id": "GHSA-53m6-44rc-h2q5", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:10:01Z/" } ], "url": "https://github.com/octobercms/october/security/advisories/GHSA-53m6-44rc-h2q5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60797?format=api", "purl": "pkg:composer/october/system@1.0.475", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1u23-49vh-a7cz" }, { "vulnerability": "VCID-4vw2-nuyr-aqdc" }, { "vulnerability": "VCID-9szw-dbdz-vfgp" }, { "vulnerability": "VCID-a6gp-aaq2-e7cw" }, { "vulnerability": "VCID-dc1p-1k62-2ub6" }, { "vulnerability": "VCID-e34y-jzm8-5uhd" }, { "vulnerability": "VCID-hk1m-fbhk-4khm" }, { "vulnerability": "VCID-uwud-4zb3-qyav" }, { "vulnerability": "VCID-vr44-mn2w-sfgt" }, { "vulnerability": "VCID-yxdc-vsf3-f7fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.0.475" }, { "url": "http://public2.vulnerablecode.io/api/packages/147767?format=api", "purl": "pkg:composer/october/system@1.1.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1u23-49vh-a7cz" }, { "vulnerability": "VCID-4vw2-nuyr-aqdc" }, { "vulnerability": "VCID-9szw-dbdz-vfgp" }, { "vulnerability": "VCID-a6gp-aaq2-e7cw" }, { "vulnerability": "VCID-dc1p-1k62-2ub6" }, { "vulnerability": "VCID-e34y-jzm8-5uhd" }, { "vulnerability": "VCID-hk1m-fbhk-4khm" }, { "vulnerability": "VCID-uwud-4zb3-qyav" }, { "vulnerability": "VCID-vr44-mn2w-sfgt" }, { "vulnerability": "VCID-yxdc-vsf3-f7fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.1.11" } ], "aliases": [ "CVE-2022-23655", "GHSA-53m6-44rc-h2q5" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-196s-wgwr-kyd6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57250?format=api", "vulnerability_id": "VCID-1u23-49vh-a7cz", "summary": "October CMS Allows Unprotected SVG Rename in Media Manager\nThis advisory affects authenticated administrators with sites that have the `media.clean_vectors` configuration enabled. This configuration will sanitize SVG files uploaded using the media manager. This vulnerability allows an authenticated user to bypass this protection by uploading it with a permitted extension (for example, .jpg or .png) and later modifying it to the .svg extension.\n\nThis vulnerability assumes a trusted user will attack another trusted user and cannot be actively exploited without access to the administration panel and interaction from the other user.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-51991", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00313", "scoring_system": "epss", "scoring_elements": "0.54768", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00313", "scoring_system": "epss", "scoring_elements": "0.54772", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00313", "scoring_system": "epss", "scoring_elements": "0.54778", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-51991" }, { "reference_url": "https://github.com/octobercms/october", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/october" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51991", "reference_id": "CVE-2024-51991", "reference_type": "", "scores": [ { "value": "1.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51991" }, { "reference_url": "https://github.com/advisories/GHSA-96hh-8hx5-cpw7", "reference_id": "GHSA-96hh-8hx5-cpw7", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-96hh-8hx5-cpw7" }, { "reference_url": "https://github.com/octobercms/october/security/advisories/GHSA-96hh-8hx5-cpw7", "reference_id": "GHSA-96hh-8hx5-cpw7", "reference_type": "", "scores": [ { "value": "1.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-05T18:06:02Z/" } ], "url": "https://github.com/octobercms/october/security/advisories/GHSA-96hh-8hx5-cpw7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/85042?format=api", "purl": "pkg:composer/october/system@3.7.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.7.5" } ], "aliases": [ "CVE-2024-51991", "GHSA-96hh-8hx5-cpw7" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1u23-49vh-a7cz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42502?format=api", "vulnerability_id": "VCID-26wk-v39m-tue9", "summary": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')\nOctobercms is a self-hosted CMS platform based on the Laravel PHP Framework. In affected versions user input was not properly sanitized before rendering. An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass `cms.safe_mode` / `cms.enableSafeMode` in order to execute arbitrary code. This issue only affects admin panels that rely on safe mode and restricted permissions. To exploit this vulnerability, an attacker must first have access to the backend area. The issue has been patched in Build 474 (v1.0.474) and v1.1.10.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-21705", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.70336", "scoring_system": "epss", "scoring_elements": "0.98705", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.70336", "scoring_system": "epss", "scoring_elements": "0.98704", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-21705" }, { "reference_url": "https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:38Z/" } ], "url": "https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe" }, { "reference_url": "https://github.com/octobercms/october", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/october" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21705", "reference_id": "CVE-2022-21705", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21705" }, { "reference_url": "https://github.com/advisories/GHSA-79jw-2f46-wv22", "reference_id": "GHSA-79jw-2f46-wv22", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-79jw-2f46-wv22" }, { "reference_url": "https://github.com/octobercms/october/security/advisories/GHSA-79jw-2f46-wv22", "reference_id": "GHSA-79jw-2f46-wv22", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:38Z/" } ], "url": "https://github.com/octobercms/october/security/advisories/GHSA-79jw-2f46-wv22" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60777?format=api", "purl": "pkg:composer/october/system@1.0.474", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-196s-wgwr-kyd6" }, { "vulnerability": "VCID-1u23-49vh-a7cz" }, { "vulnerability": "VCID-4vw2-nuyr-aqdc" }, { "vulnerability": "VCID-9szw-dbdz-vfgp" }, { "vulnerability": "VCID-a6gp-aaq2-e7cw" }, { "vulnerability": "VCID-dc1p-1k62-2ub6" }, { "vulnerability": "VCID-e34y-jzm8-5uhd" }, { "vulnerability": "VCID-hk1m-fbhk-4khm" }, { "vulnerability": "VCID-uwud-4zb3-qyav" }, { "vulnerability": "VCID-vr44-mn2w-sfgt" }, { "vulnerability": "VCID-yxdc-vsf3-f7fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.0.474" }, { "url": "http://public2.vulnerablecode.io/api/packages/60778?format=api", "purl": "pkg:composer/october/system@1.1.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-196s-wgwr-kyd6" }, { "vulnerability": "VCID-1u23-49vh-a7cz" }, { "vulnerability": "VCID-4vw2-nuyr-aqdc" }, { "vulnerability": "VCID-9szw-dbdz-vfgp" }, { "vulnerability": "VCID-a6gp-aaq2-e7cw" }, { "vulnerability": "VCID-dc1p-1k62-2ub6" }, { "vulnerability": "VCID-e34y-jzm8-5uhd" }, { "vulnerability": "VCID-hk1m-fbhk-4khm" }, { "vulnerability": "VCID-uwud-4zb3-qyav" }, { "vulnerability": "VCID-vr44-mn2w-sfgt" }, { "vulnerability": "VCID-yxdc-vsf3-f7fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.1.10" }, { "url": "http://public2.vulnerablecode.io/api/packages/60779?format=api", "purl": "pkg:composer/october/system@2.1.27", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@2.1.27" } ], "aliases": [ "CVE-2022-21705", "GHSA-79jw-2f46-wv22" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-26wk-v39m-tue9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52678?format=api", "vulnerability_id": "VCID-2uyw-p2r5-wbfc", "summary": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in october/system.", "references": [ { "reference_url": "https://github.com/octobercms/october", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/october" }, { "reference_url": "https://github.com/octobercms/october/commit/5c7ba9fbe9f2b596b2f0e3436ee06b91b97e5892", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/october/commit/5c7ba9fbe9f2b596b2f0e3436ee06b91b97e5892" }, { "reference_url": "https://github.com/octobercms/october/issues/5097", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/october/issues/5097" }, { "reference_url": "https://github.com/advisories/GHSA-v73w-r9xg-7cr9", "reference_id": "GHSA-v73w-r9xg-7cr9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v73w-r9xg-7cr9" }, { "reference_url": "https://github.com/octobercms/october/security/advisories/GHSA-v73w-r9xg-7cr9", "reference_id": "GHSA-v73w-r9xg-7cr9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/october/security/advisories/GHSA-v73w-r9xg-7cr9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/77459?format=api", "purl": "pkg:composer/october/system@1.0.466", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-196s-wgwr-kyd6" }, { "vulnerability": "VCID-1u23-49vh-a7cz" }, { "vulnerability": "VCID-26wk-v39m-tue9" }, { "vulnerability": "VCID-32np-fww5-sqgs" }, { "vulnerability": "VCID-4vw2-nuyr-aqdc" }, { "vulnerability": "VCID-9szw-dbdz-vfgp" }, { "vulnerability": "VCID-a6gp-aaq2-e7cw" }, { "vulnerability": "VCID-c9ym-e1xq-euah" }, { "vulnerability": "VCID-dc1p-1k62-2ub6" }, { "vulnerability": "VCID-e34y-jzm8-5uhd" }, { "vulnerability": "VCID-hk1m-fbhk-4khm" }, { "vulnerability": "VCID-jwc2-ypme-27f5" }, { "vulnerability": "VCID-uwud-4zb3-qyav" }, { "vulnerability": "VCID-vr44-mn2w-sfgt" }, { "vulnerability": "VCID-y9cb-1xee-xkc5" }, { "vulnerability": "VCID-yxdc-vsf3-f7fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.0.466" } ], "aliases": [ "GHSA-v73w-r9xg-7cr9", "GMS-2020-570", "GMS-2020-582" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2uyw-p2r5-wbfc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41364?format=api", "vulnerability_id": "VCID-32np-fww5-sqgs", "summary": "Improper Authentication\noctobercms in a CMS platform based on the Laravel PHP Framework. There exists a vulnerability that is exploitable by unauthenticated users via a specially crafted request. This only affects frontend users and the attacker must obtain a Laravel secret key for cookie encryption and signing in order to exploit this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-29487", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00503", "scoring_system": "epss", "scoring_elements": "0.66467", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00503", "scoring_system": "epss", "scoring_elements": "0.665", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00503", "scoring_system": "epss", "scoring_elements": "0.66516", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00503", "scoring_system": "epss", "scoring_elements": "0.66508", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-29487" }, { "reference_url": "https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374" }, { "reference_url": "https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9" }, { "reference_url": "https://github.com/octobercms/october", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/october" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29487", "reference_id": "CVE-2021-29487", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29487" }, { "reference_url": "https://github.com/advisories/GHSA-h76r-vgf3-j6w5", "reference_id": "GHSA-h76r-vgf3-j6w5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h76r-vgf3-j6w5" }, { "reference_url": "https://github.com/octobercms/october/security/advisories/GHSA-h76r-vgf3-j6w5", "reference_id": "GHSA-h76r-vgf3-j6w5", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/october/security/advisories/GHSA-h76r-vgf3-j6w5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58825?format=api", "purl": "pkg:composer/october/system@1.0.472", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-196s-wgwr-kyd6" }, { "vulnerability": "VCID-1u23-49vh-a7cz" }, { "vulnerability": "VCID-26wk-v39m-tue9" }, { "vulnerability": "VCID-4vw2-nuyr-aqdc" }, { "vulnerability": "VCID-9szw-dbdz-vfgp" }, { "vulnerability": "VCID-a6gp-aaq2-e7cw" }, { "vulnerability": "VCID-dc1p-1k62-2ub6" }, { "vulnerability": "VCID-e34y-jzm8-5uhd" }, { "vulnerability": "VCID-hk1m-fbhk-4khm" }, { "vulnerability": "VCID-jwc2-ypme-27f5" }, { "vulnerability": "VCID-uwud-4zb3-qyav" }, { "vulnerability": "VCID-vr44-mn2w-sfgt" }, { "vulnerability": "VCID-y9cb-1xee-xkc5" }, { "vulnerability": "VCID-yxdc-vsf3-f7fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.0.472" }, { "url": "http://public2.vulnerablecode.io/api/packages/58826?format=api", "purl": "pkg:composer/october/system@1.1.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-196s-wgwr-kyd6" }, { "vulnerability": "VCID-1u23-49vh-a7cz" }, { "vulnerability": "VCID-26wk-v39m-tue9" }, { "vulnerability": "VCID-4vw2-nuyr-aqdc" }, { "vulnerability": "VCID-9szw-dbdz-vfgp" }, { "vulnerability": "VCID-a6gp-aaq2-e7cw" }, { "vulnerability": "VCID-dc1p-1k62-2ub6" }, { "vulnerability": "VCID-e34y-jzm8-5uhd" }, { "vulnerability": "VCID-hk1m-fbhk-4khm" }, { "vulnerability": "VCID-jwc2-ypme-27f5" }, { "vulnerability": "VCID-uwud-4zb3-qyav" }, { "vulnerability": "VCID-vr44-mn2w-sfgt" }, { "vulnerability": "VCID-y9cb-1xee-xkc5" }, { "vulnerability": "VCID-yxdc-vsf3-f7fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.1.5" } ], "aliases": [ "CVE-2021-29487", "GHSA-h76r-vgf3-j6w5" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-32np-fww5-sqgs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90260?format=api", "vulnerability_id": "VCID-4vw2-nuyr-aqdc", "summary": "October CMS has Safe Mode Bypass via CSS Preprocessor Compilers\nA server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft `.less`, `.sass`, or `.scss` files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with `cms.safe_mode` enabled.\n\n### Impact\n- Potential exposure of sensitive server-side files\n- Requires authenticated backend access with Editor permissions\n- Only relevant when `cms.safe_mode` is enabled (otherwise direct PHP injection is already possible)\n\n### Patches\nThe vulnerability has been patched in v3.7.14 and v4.1.10. When `cms.safe_mode` is enabled, `.less`, `.sass`, and `.scss` files can no longer be created, uploaded, or edited across the CMS editor, media manager, and file upload interfaces. All users are encouraged to upgrade to the latest patched version.\n\n### Workarounds\nIf upgrading immediately is not possible:\n- Set `cms.editable_asset_types` config to `['css', 'js']` to remove preprocessor file types from the editor\n- Restrict Editor tool access to fully trusted administrators only\n\n- Reported by [Chris Alupului](https://github.com/neosprings)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26067", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17135", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17096", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.1713", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26067" }, { "reference_url": "https://github.com/octobercms/october", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/october" }, { "reference_url": "https://github.com/octobercms/october/security/advisories/GHSA-3888-q23f-x7qh", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T17:35:10Z/" } ], "url": "https://github.com/octobercms/october/security/advisories/GHSA-3888-q23f-x7qh" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26067", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26067" }, { "reference_url": "https://github.com/advisories/GHSA-3888-q23f-x7qh", "reference_id": "GHSA-3888-q23f-x7qh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3888-q23f-x7qh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110224?format=api", "purl": "pkg:composer/october/system@3.7.14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.7.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/110223?format=api", "purl": "pkg:composer/october/system@4.1.10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@4.1.10" } ], "aliases": [ "CVE-2026-26067", "GHSA-3888-q23f-x7qh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4vw2-nuyr-aqdc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49644?format=api", "vulnerability_id": "VCID-9szw-dbdz-vfgp", "summary": "October CMS Vulnerable to Stored XSS via Branding Styles\nA cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms:\n\n- **Branding and Appearances Styles**\nA user with the `Customize Backend Styles` permission could inject malicious HTML/JS into the stylesheet input at\n*Settings → Branding & Appearance → Styles*.\n\nA specially crafted input could break out of the intended `<style>` context, allowing arbitrary script execution across backend pages for all users.\n\n---", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61676", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.07989", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20987", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.21", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61676" }, { "reference_url": "https://github.com/octobercms/october", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/october" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61676", "reference_id": "CVE-2025-61676", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61676" }, { "reference_url": "https://github.com/advisories/GHSA-wvpq-h33f-8rp6", "reference_id": "GHSA-wvpq-h33f-8rp6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wvpq-h33f-8rp6" }, { "reference_url": "https://github.com/octobercms/october/security/advisories/GHSA-wvpq-h33f-8rp6", "reference_id": "GHSA-wvpq-h33f-8rp6", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-12T17:34:07Z/" } ], "url": "https://github.com/octobercms/october/security/advisories/GHSA-wvpq-h33f-8rp6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73285?format=api", "purl": "pkg:composer/october/system@3.7.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-vr44-mn2w-sfgt" }, { "vulnerability": "VCID-yxdc-vsf3-f7fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.7.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/73286?format=api", "purl": "pkg:composer/october/system@4.0.12", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@4.0.12" } ], "aliases": [ "CVE-2025-61676", "GHSA-wvpq-h33f-8rp6" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9szw-dbdz-vfgp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89469?format=api", "vulnerability_id": "VCID-a6gp-aaq2-e7cw", "summary": "October CMS: Editor Sub-Permission Bypass for Asset and Blueprint File Operations\nFine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly granted `editor` access but had `editor.cms_assets` or `editor.tailor_blueprints` specifically withheld, an uncommon permission configuration. In this edge case, such users could perform file operations (create, delete, rename, move, upload) on theme assets or blueprint files despite lacking the required sub-permission. A related operator precedence error in the Tailor navigation also disclosed the theme blueprint directory tree under the same conditions.\n\n### Impact\n- Only exploitable by authenticated backend users with `editor` access who have been specifically denied the `editor.cms_assets` or `editor.tailor_blueprints` sub-permissions\n- Does not affect default permission configurations where editor users typically have all sub-permissions granted\n- Users without `editor.cms_assets` could manipulate theme asset files (delete, rename, move, upload, create directories)\n- Users without `editor.tailor_blueprints` could manipulate blueprint files (delete, rename, move, upload, create directories)\n- Users without `editor.tailor_blueprints` could view the theme blueprint navigation tree, disclosing file paths and directory structure\n\n### Patches\nThe vulnerability has been patched in v3.7.16 and v4.1.16. Fine-grained document type permission checks are now enforced on all asset and blueprint file operation commands, and the navigation node condition logic has been corrected. All users are encouraged to upgrade to the latest patched version.\n\n### Workarounds\n- Restrict the `editor` permission to fully trusted administrators only\n- Remove the `editor` permission from any user who should not have asset or blueprint management access", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29179", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10179", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10212", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10191", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29179" }, { "reference_url": "https://github.com/octobercms/october", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/october" }, { "reference_url": "https://github.com/octobercms/october/security/advisories/GHSA-jvwg-phxx-j3rp", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T16:46:35Z/" } ], "url": "https://github.com/octobercms/october/security/advisories/GHSA-jvwg-phxx-j3rp" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29179", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29179" }, { "reference_url": "https://github.com/advisories/GHSA-jvwg-phxx-j3rp", "reference_id": "GHSA-jvwg-phxx-j3rp", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jvwg-phxx-j3rp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110645?format=api", "purl": "pkg:composer/october/system@3.7.16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.7.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/110644?format=api", "purl": "pkg:composer/october/system@4.1.16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@4.1.16" } ], "aliases": [ "CVE-2026-29179", "GHSA-jvwg-phxx-j3rp" ], "risk_score": 1.5, "exploitability": "0.5", "weighted_severity": "3.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a6gp-aaq2-e7cw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41365?format=api", "vulnerability_id": "VCID-c9ym-e1xq-euah", "summary": "Weak Password Recovery Mechanism for Forgotten Password\noctobercms in a CMS platform based on the Laravel PHP Framework. An attacker can request an account password reset and then gain access to the account using a specially crafted request.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-32648", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.93036", "scoring_system": "epss", "scoring_elements": "0.99793", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-32648" }, { "reference_url": "https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-06T19:37:19Z/" } ], "url": "https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374" }, { "reference_url": "https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-06T19:37:19Z/" } ], "url": "https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9" }, { "reference_url": "https://github.com/octobercms/october", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/october" }, { "reference_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-32648", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-32648" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32648", "reference_id": "CVE-2021-32648", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32648" }, { "reference_url": "https://github.com/advisories/GHSA-mxr5-mc97-63rc", "reference_id": "GHSA-mxr5-mc97-63rc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mxr5-mc97-63rc" }, { "reference_url": "https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc", "reference_id": "GHSA-mxr5-mc97-63rc", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-06T19:37:19Z/" } ], "url": "https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58825?format=api", "purl": "pkg:composer/october/system@1.0.472", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-196s-wgwr-kyd6" }, { "vulnerability": "VCID-1u23-49vh-a7cz" }, { "vulnerability": "VCID-26wk-v39m-tue9" }, { "vulnerability": "VCID-4vw2-nuyr-aqdc" }, { "vulnerability": "VCID-9szw-dbdz-vfgp" }, { "vulnerability": "VCID-a6gp-aaq2-e7cw" }, { "vulnerability": "VCID-dc1p-1k62-2ub6" }, { "vulnerability": "VCID-e34y-jzm8-5uhd" }, { "vulnerability": "VCID-hk1m-fbhk-4khm" }, { "vulnerability": "VCID-jwc2-ypme-27f5" }, { "vulnerability": "VCID-uwud-4zb3-qyav" }, { "vulnerability": "VCID-vr44-mn2w-sfgt" }, { "vulnerability": "VCID-y9cb-1xee-xkc5" }, { "vulnerability": "VCID-yxdc-vsf3-f7fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.0.472" }, { "url": "http://public2.vulnerablecode.io/api/packages/58826?format=api", "purl": "pkg:composer/october/system@1.1.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-196s-wgwr-kyd6" }, { "vulnerability": "VCID-1u23-49vh-a7cz" }, { "vulnerability": "VCID-26wk-v39m-tue9" }, { "vulnerability": "VCID-4vw2-nuyr-aqdc" }, { "vulnerability": "VCID-9szw-dbdz-vfgp" }, { "vulnerability": "VCID-a6gp-aaq2-e7cw" }, { "vulnerability": "VCID-dc1p-1k62-2ub6" }, { "vulnerability": "VCID-e34y-jzm8-5uhd" }, { "vulnerability": "VCID-hk1m-fbhk-4khm" }, { "vulnerability": "VCID-jwc2-ypme-27f5" }, { "vulnerability": "VCID-uwud-4zb3-qyav" }, { "vulnerability": "VCID-vr44-mn2w-sfgt" }, { "vulnerability": "VCID-y9cb-1xee-xkc5" }, { "vulnerability": "VCID-yxdc-vsf3-f7fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.1.5" } ], "aliases": [ "CVE-2021-32648", "GHSA-mxr5-mc97-63rc" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c9ym-e1xq-euah" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/110350?format=api", "vulnerability_id": "VCID-dc1p-1k62-2ub6", "summary": "October CMS upload process vulnerable to RCE via Race Condition\n### Impact\n\nThis advisory affects plugins that expose the `October\\Rain\\Database\\Attach\\File::fromData` as a public interface. This vulnerability does not affect vanilla installations of October CMS since this method is not exposed or used by the system internally or externally.\n\nWhen the developer allows the user to specify their own filename in the `fromData` method, an unauthenticated user can perform remote code execution (RCE) by exploiting a race condition in the temporary storage directory.\n\n### Patches\n\nThe issue has been patched in Build 476 (v1.0.476) and v1.1.12 and v2.2.15.\n\n### Workarounds\n\nApply https://github.com/octobercms/library/commit/fe569f3babf3f593be2b1e0a4ae0283506127a83 to your installation manually if unable to upgrade to Build 476 (v1.0.476) or v1.1.12 or v2.2.15.\n\n### References\n\nCredits to:\n- DucNT, HungTD and GiangVQ from RedTeam@VNG Security Response Center.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n- Email us at [hello@octobercms.com](mailto:hello@octobercms.com)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24800", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02925", "scoring_system": "epss", "scoring_elements": "0.86687", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.02925", "scoring_system": "epss", "scoring_elements": "0.8667", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.02925", "scoring_system": "epss", "scoring_elements": "0.86692", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.02925", "scoring_system": "epss", "scoring_elements": "0.86691", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24800" }, { "reference_url": "https://github.com/octobercms/library/commit/fe569f3babf3f593be2b1e0a4ae0283506127a83", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:51:41Z/" } ], "url": "https://github.com/octobercms/library/commit/fe569f3babf3f593be2b1e0a4ae0283506127a83" }, { "reference_url": "https://github.com/octobercms/october", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/october" }, { "reference_url": "https://github.com/octobercms/october/security/advisories/GHSA-8v7h-cpc2-r8jp", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:51:41Z/" } ], "url": "https://github.com/octobercms/october/security/advisories/GHSA-8v7h-cpc2-r8jp" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24800", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24800" }, { "reference_url": "https://github.com/advisories/GHSA-8v7h-cpc2-r8jp", "reference_id": "GHSA-8v7h-cpc2-r8jp", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8v7h-cpc2-r8jp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/148983?format=api", "purl": "pkg:composer/october/system@1.0.476", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1u23-49vh-a7cz" }, { "vulnerability": "VCID-4vw2-nuyr-aqdc" }, { "vulnerability": "VCID-9szw-dbdz-vfgp" }, { "vulnerability": "VCID-a6gp-aaq2-e7cw" }, { "vulnerability": "VCID-e34y-jzm8-5uhd" }, { "vulnerability": "VCID-hk1m-fbhk-4khm" }, { "vulnerability": "VCID-uwud-4zb3-qyav" }, { "vulnerability": "VCID-vr44-mn2w-sfgt" }, { "vulnerability": "VCID-yxdc-vsf3-f7fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.0.476" }, { "url": "http://public2.vulnerablecode.io/api/packages/148984?format=api", "purl": "pkg:composer/october/system@1.1.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1u23-49vh-a7cz" }, { "vulnerability": "VCID-4vw2-nuyr-aqdc" }, { "vulnerability": "VCID-9szw-dbdz-vfgp" }, { "vulnerability": "VCID-a6gp-aaq2-e7cw" }, { "vulnerability": "VCID-e34y-jzm8-5uhd" }, { "vulnerability": "VCID-hk1m-fbhk-4khm" }, { "vulnerability": "VCID-uwud-4zb3-qyav" }, { "vulnerability": "VCID-vr44-mn2w-sfgt" }, { "vulnerability": "VCID-yxdc-vsf3-f7fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.1.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/148985?format=api", "purl": "pkg:composer/october/system@2.2.15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@2.2.15" } ], "aliases": [ "CVE-2022-24800", "GHSA-8v7h-cpc2-r8jp" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dc1p-1k62-2ub6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49647?format=api", "vulnerability_id": "VCID-e34y-jzm8-5uhd", "summary": "October CMS Vulnerable to Stored XSS via Editor and Branding Styles\nA cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms:\n\n- **Editor Settings Markup Styles**\nA user with the `Global Editor Settings` permission could inject malicious HTML/JS into the stylesheet input at\n*Settings → Editor Settings → Markup Styles*.\n\nA specially crafted input could break out of the intended `<style>` context, allowing arbitrary script execution across backend pages for all users.\n\n---", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61674", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20942", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20987", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.21", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61674" }, { "reference_url": "https://github.com/octobercms/october", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/october" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61674", "reference_id": "CVE-2025-61674", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61674" }, { "reference_url": "https://github.com/advisories/GHSA-gxxc-m74c-f48x", "reference_id": "GHSA-gxxc-m74c-f48x", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gxxc-m74c-f48x" }, { "reference_url": "https://github.com/octobercms/october/security/advisories/GHSA-gxxc-m74c-f48x", "reference_id": "GHSA-gxxc-m74c-f48x", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-12T17:33:26Z/" } ], "url": "https://github.com/octobercms/october/security/advisories/GHSA-gxxc-m74c-f48x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73285?format=api", "purl": "pkg:composer/october/system@3.7.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-vr44-mn2w-sfgt" }, { "vulnerability": "VCID-yxdc-vsf3-f7fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.7.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/73286?format=api", "purl": "pkg:composer/october/system@4.0.12", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@4.0.12" } ], "aliases": [ "CVE-2025-61674", "GHSA-gxxc-m74c-f48x" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e34y-jzm8-5uhd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/108765?format=api", "vulnerability_id": "VCID-hk1m-fbhk-4khm", "summary": "October CMS Safe Mode bypass leads to authenticated Remote Code Execution\n### Impact\n\nThis vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has access to the admin panel and permission to open the \"Editor\" section, they can bypass the Safe Mode (`cms.safe_mode`) restriction to introduce new PHP code in a CMS template using a specially crafted request.\n\n### Patches\n\nThe issue has been patched in v2.2.34 and v3.0.66\n\n### References\n\nCredits to:\n\n- David Miller\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Email us at [hello@octobercms.com](mailto:hello@octobercms.com)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-35944", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00532", "scoring_system": "epss", "scoring_elements": "0.67626", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00532", "scoring_system": "epss", "scoring_elements": "0.67664", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00532", "scoring_system": "epss", "scoring_elements": "0.67674", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00532", "scoring_system": "epss", "scoring_elements": "0.67667", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-35944" }, { "reference_url": "https://github.com/octobercms/october", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/october" }, { "reference_url": "https://github.com/octobercms/october/security/advisories/GHSA-x4q7-m6fp-4v9v", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L" }, { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:47:57Z/" } ], "url": "https://github.com/octobercms/october/security/advisories/GHSA-x4q7-m6fp-4v9v" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35944", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35944" }, { "reference_url": "https://github.com/advisories/GHSA-x4q7-m6fp-4v9v", "reference_id": "GHSA-x4q7-m6fp-4v9v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x4q7-m6fp-4v9v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/144521?format=api", "purl": "pkg:composer/october/system@2.2.34", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@2.2.34" }, { "url": "http://public2.vulnerablecode.io/api/packages/144522?format=api", "purl": "pkg:composer/october/system@3.0.66", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.0.66" } ], "aliases": [ "CVE-2022-35944", "GHSA-x4q7-m6fp-4v9v" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hk1m-fbhk-4khm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42079?format=api", "vulnerability_id": "VCID-jwc2-ypme-27f5", "summary": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')\nOctober CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework., an attacker with \"create, modify and delete website pages\" privileges in the backend is able to execute PHP code by running specially crafted Twig code in the template markup. The issue has been patched in Build (v1.0.473) and v1.1.6. Those unable to upgrade may apply the patch to their installation manually as a workaround.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-32649", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.005", "scoring_system": "epss", "scoring_elements": "0.66366", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.005", "scoring_system": "epss", "scoring_elements": "0.66322", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.005", "scoring_system": "epss", "scoring_elements": "0.66373", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.005", "scoring_system": "epss", "scoring_elements": "0.66381", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-32649" }, { "reference_url": "https://github.com/octobercms/october", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/october" }, { "reference_url": "https://github.com/octobercms/october/commit/167b592eed291ae1563c8fcc5b9b34a03a300f26", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:56:55Z/" } ], "url": "https://github.com/octobercms/october/commit/167b592eed291ae1563c8fcc5b9b34a03a300f26" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32649", "reference_id": "CVE-2021-32649", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32649" }, { "reference_url": "https://github.com/advisories/GHSA-wv23-pfj7-2mjj", "reference_id": "GHSA-wv23-pfj7-2mjj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wv23-pfj7-2mjj" }, { "reference_url": "https://github.com/octobercms/october/security/advisories/GHSA-wv23-pfj7-2mjj", "reference_id": "GHSA-wv23-pfj7-2mjj", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:56:55Z/" } ], "url": "https://github.com/octobercms/october/security/advisories/GHSA-wv23-pfj7-2mjj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60179?format=api", "purl": "pkg:composer/october/system@1.0.473", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-196s-wgwr-kyd6" }, { "vulnerability": "VCID-1u23-49vh-a7cz" }, { "vulnerability": "VCID-26wk-v39m-tue9" }, { "vulnerability": "VCID-4vw2-nuyr-aqdc" }, { "vulnerability": "VCID-9szw-dbdz-vfgp" }, { "vulnerability": "VCID-a6gp-aaq2-e7cw" }, { "vulnerability": "VCID-dc1p-1k62-2ub6" }, { "vulnerability": "VCID-e34y-jzm8-5uhd" }, { "vulnerability": "VCID-hk1m-fbhk-4khm" }, { "vulnerability": "VCID-uwud-4zb3-qyav" }, { "vulnerability": "VCID-vr44-mn2w-sfgt" }, { "vulnerability": "VCID-yxdc-vsf3-f7fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.0.473" }, { "url": "http://public2.vulnerablecode.io/api/packages/146157?format=api", "purl": "pkg:composer/october/system@1.1.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-196s-wgwr-kyd6" }, { "vulnerability": "VCID-1u23-49vh-a7cz" }, { "vulnerability": "VCID-26wk-v39m-tue9" }, { "vulnerability": "VCID-4vw2-nuyr-aqdc" }, { "vulnerability": "VCID-9szw-dbdz-vfgp" }, { "vulnerability": "VCID-a6gp-aaq2-e7cw" }, { "vulnerability": "VCID-dc1p-1k62-2ub6" }, { "vulnerability": "VCID-e34y-jzm8-5uhd" }, { "vulnerability": "VCID-hk1m-fbhk-4khm" }, { "vulnerability": "VCID-uwud-4zb3-qyav" }, { "vulnerability": "VCID-vr44-mn2w-sfgt" }, { "vulnerability": "VCID-yxdc-vsf3-f7fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.1.6" } ], "aliases": [ "CVE-2021-32649", "GHSA-wv23-pfj7-2mjj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jwc2-ypme-27f5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89944?format=api", "vulnerability_id": "VCID-uwud-4zb3-qyav", "summary": "October CMS: Reflected XSS via DataTable Form Widget\nA reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping.\n\n### Impact\n- Reflected XSS only, no stored/persistent component\n- The backend URL prefix is customizable and must be known or guessed by the attacker\n- Requires an authenticated backend user to visit a crafted URL\n- No direct access is gained without social engineering\n\n### Patches\nThe vulnerability has been patched in v3.7.16 and v4.1.16. The affected parameter is now properly escaped. All users are encouraged to upgrade to the latest patched version.\n\n### Workarounds\n- Use a non-default backend URL prefix (recommended as standard practice)\n- Implement a Content Security Policy (CSP) for backend pages", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27937", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11049", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11084", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.1109", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27937" }, { "reference_url": "https://github.com/octobercms/october", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/october" }, { "reference_url": "https://github.com/octobercms/october/security/advisories/GHSA-jj38-h5w5-mvpf", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T20:27:38Z/" } ], "url": "https://github.com/octobercms/october/security/advisories/GHSA-jj38-h5w5-mvpf" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27937", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27937" }, { "reference_url": "https://github.com/advisories/GHSA-jj38-h5w5-mvpf", "reference_id": "GHSA-jj38-h5w5-mvpf", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jj38-h5w5-mvpf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110645?format=api", "purl": "pkg:composer/october/system@3.7.16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.7.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/110644?format=api", "purl": "pkg:composer/october/system@4.1.16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@4.1.16" } ], "aliases": [ "CVE-2026-27937", "GHSA-jj38-h5w5-mvpf" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uwud-4zb3-qyav" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89175?format=api", "vulnerability_id": "VCID-vr44-mn2w-sfgt", "summary": "October CMS has Stored XSS in Backend Editor Markup Classes\nA stored cross-site scripting (XSS) vulnerability was identified in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala editor dropdown menus, allowing JavaScript execution when any user opened a RichEditor.\n\n### Impact\n- Stored XSS via editor settings rendered in RichEditor dropdowns\n- Could allow privilege escalation if a superuser opens any RichEditor (e.g., editing a blog post)\n- Requires authenticated backend access with editor settings permissions\n- Triggers on routine content editing operations\n\n### Patches\nThe vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version.\n\n### Workarounds\nIf upgrading immediately is not possible:\n- Restrict editor settings permissions to fully trusted administrators only\n\n### References\n- Reported by [Chris Alupului](https://github.com/neosprings)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24906", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01923", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01932", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01927", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24906" }, { "reference_url": "https://github.com/octobercms/october", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/october" }, { "reference_url": "https://github.com/octobercms/october/security/advisories/GHSA-6qmh-j78v-ffp7", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-16T13:45:53Z/" } ], "url": "https://github.com/octobercms/october/security/advisories/GHSA-6qmh-j78v-ffp7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24906", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24906" }, { "reference_url": "https://github.com/advisories/GHSA-6qmh-j78v-ffp7", "reference_id": "GHSA-6qmh-j78v-ffp7", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6qmh-j78v-ffp7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110224?format=api", "purl": "pkg:composer/october/system@3.7.14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.7.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/110223?format=api", "purl": "pkg:composer/october/system@4.1.10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@4.1.10" } ], "aliases": [ "CVE-2026-24906", "GHSA-6qmh-j78v-ffp7" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vr44-mn2w-sfgt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42076?format=api", "vulnerability_id": "VCID-y9cb-1xee-xkc5", "summary": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')\nOctober CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with access to the backend is able to execute PHP code by using the theme import feature. This will bypass the safe mode feature that prevents PHP execution in the CMS templates.The issue has been patched in Build 473 (v1.0.473) and v1.1.6. Those unable to upgrade may apply the patch to their installation manually as a workaround.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-32650", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01086", "scoring_system": "epss", "scoring_elements": "0.78264", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.01086", "scoring_system": "epss", "scoring_elements": "0.78241", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.01086", "scoring_system": "epss", "scoring_elements": "0.78267", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.01086", "scoring_system": "epss", "scoring_elements": "0.78275", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-32650" }, { "reference_url": "https://github.com/octobercms/october", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/october" }, { "reference_url": "https://github.com/octobercms/october/commit/167b592eed291ae1563c8fcc5b9b34a03a300f26", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:45:24Z/" } ], "url": "https://github.com/octobercms/october/commit/167b592eed291ae1563c8fcc5b9b34a03a300f26" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32650", "reference_id": "CVE-2021-32650", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32650" }, { "reference_url": "https://github.com/advisories/GHSA-5hfj-r725-wpc4", "reference_id": "GHSA-5hfj-r725-wpc4", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5hfj-r725-wpc4" }, { "reference_url": "https://github.com/octobercms/october/security/advisories/GHSA-5hfj-r725-wpc4", "reference_id": "GHSA-5hfj-r725-wpc4", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:45:24Z/" } ], "url": "https://github.com/octobercms/october/security/advisories/GHSA-5hfj-r725-wpc4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60179?format=api", "purl": "pkg:composer/october/system@1.0.473", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-196s-wgwr-kyd6" }, { "vulnerability": "VCID-1u23-49vh-a7cz" }, { "vulnerability": "VCID-26wk-v39m-tue9" }, { "vulnerability": "VCID-4vw2-nuyr-aqdc" }, { "vulnerability": "VCID-9szw-dbdz-vfgp" }, { "vulnerability": "VCID-a6gp-aaq2-e7cw" }, { "vulnerability": "VCID-dc1p-1k62-2ub6" }, { "vulnerability": "VCID-e34y-jzm8-5uhd" }, { "vulnerability": "VCID-hk1m-fbhk-4khm" }, { "vulnerability": "VCID-uwud-4zb3-qyav" }, { "vulnerability": "VCID-vr44-mn2w-sfgt" }, { "vulnerability": "VCID-yxdc-vsf3-f7fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.0.473" }, { "url": "http://public2.vulnerablecode.io/api/packages/146157?format=api", "purl": "pkg:composer/october/system@1.1.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-196s-wgwr-kyd6" }, { "vulnerability": "VCID-1u23-49vh-a7cz" }, { "vulnerability": "VCID-26wk-v39m-tue9" }, { "vulnerability": "VCID-4vw2-nuyr-aqdc" }, { "vulnerability": "VCID-9szw-dbdz-vfgp" }, { "vulnerability": "VCID-a6gp-aaq2-e7cw" }, { "vulnerability": "VCID-dc1p-1k62-2ub6" }, { "vulnerability": "VCID-e34y-jzm8-5uhd" }, { "vulnerability": "VCID-hk1m-fbhk-4khm" }, { "vulnerability": "VCID-uwud-4zb3-qyav" }, { "vulnerability": "VCID-vr44-mn2w-sfgt" }, { "vulnerability": "VCID-yxdc-vsf3-f7fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.1.6" } ], "aliases": [ "CVE-2021-32650", "GHSA-5hfj-r725-wpc4" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y9cb-1xee-xkc5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89881?format=api", "vulnerability_id": "VCID-yxdc-vsf3-f7fp", "summary": "October CMS has Stored XSS in Event Log Mail Preview\nA stored cross-site scripting (XSS) vulnerability was identified in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser context.\n\n### Impact\n- Stored XSS via mail template content rendered in Event Log\n- Could allow privilege escalation if a superuser views a malicious log entry\n- Requires authenticated backend access with mail template editing permissions\n- Requires a superuser to view the specific Event Log entry to trigger\n\n### Patches\nThe vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version.\n\n### Workarounds\nIf upgrading immediately is not possible:\n- Restrict mail template editing permissions to fully trusted administrators only\n- Restrict Event Log viewing permissions to minimize exposure\n\n### References\n- Reported by [Chris Alupului](https://github.com/neosprings)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24907", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11393", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11354", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11389", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24907" }, { "reference_url": "https://github.com/octobercms/october", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/octobercms/october" }, { "reference_url": "https://github.com/octobercms/october/security/advisories/GHSA-j4j5-9x6g-rgxc", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T19:29:36Z/" } ], "url": "https://github.com/octobercms/october/security/advisories/GHSA-j4j5-9x6g-rgxc" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24907", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24907" }, { "reference_url": "https://github.com/advisories/GHSA-j4j5-9x6g-rgxc", "reference_id": "GHSA-j4j5-9x6g-rgxc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j4j5-9x6g-rgxc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110224?format=api", "purl": "pkg:composer/october/system@3.7.14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.7.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/110223?format=api", "purl": "pkg:composer/october/system@4.1.10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@4.1.10" } ], "aliases": [ "CVE-2026-24907", "GHSA-j4j5-9x6g-rgxc" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yxdc-vsf3-f7fp" } ], "fixing_vulnerabilities": [], "risk_score": "10.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.0.439" }